The malware that spent months wearing Microsoft’s trust didn’t steal a thing. No cracked certificate authority, no private key lifted off some breached vendor. There was, in effect, a shop: you uploaded your malware to a website, paid somewhere between five and nine thousand dollars, and got it back signed with a real, valid certificate. The same kind that vouches for the software you actually want on your machine.
The crew running that shop is one Microsoft’s Digital Crimes Unit tracks as Fox Tempest, and the certificates weren’t forged. They were minted through Microsoft’s own code-signing service, which Fox Tempest abused under a pile of fake identities and impersonated companies, then resold to anyone with the money. The malware they dressed up was the usual rogues’ gallery, the Oyster backdoor, the Lumma and Vidar infostealers, often got up as spoofed Teams or AnyDesk installers. In May, Microsoft pulled the operation apart: more than a thousand fraudulent certificates revoked, the infrastructure seized, a lawsuit filed against Fox Tempest and the ransomware crew behind Rhysida that had been paying for the service. For the better part of a year, a valid Microsoft signature was a product you could check out of a basket.
The reflex is to file this under “another supply-chain breach”. It isn’t one. Nothing was breached. The system did exactly what it was built to do, for a paying customer who’d lied about who they were. That’s the part worth sitting with.
We have been here before
None of this is new. I went back and read a Trend Micro write-up on code-signing abuse from 2018, and it could have gone out last week. Stuxnet carried valid signatures from stolen Realtek and JMicron certificates. After Sony Pictures was ransacked in 2014, the attackers signed their Destover malware with Sony’s own keys. The names rotate and the methods rotate, the story doesn’t: there is a trust mark, there is money in wearing it, so somebody works out how to wear it.
I’ve started thinking of them as honest villains. Not honest with their victims, obviously. Honest in their incentives: a rational operator who finds a loophole and works it for everything it’s worth, because there’s profit on the other side of it. You can be as furious at Fox Tempest as you like, and I am, prosecution is exactly right, but the honest villain is never the surprise. The honest villain is a constant. Build a gate worth getting through and one will turn up to test it… every single time! That isn’t cynicism. It might be the most dependable law we’ve got.
A seal was never a promise
Here’s the thing we keep forgetting about a signature, and it goes back a very long way.
For most of human history, trust was blood. You trusted the people you were bound to, by birth and by the pacts of kinship and marriage that held a tribe together. It worked, for tens of thousands of years, because the circle was small enough that everyone you needed to trust was someone you knew, or someone known to someone you knew. The bond and the accountability were the same thing. Betray the tribe and the tribe knew precisely whose door to come to.
Then we outgrew the tribe. We started trading with strangers, across distances and across lifetimes, with people we would never meet and could never vouch for by blood. And blood stopped being enough. So we built stand-ins for it. The wax seal pressed into a letter. The signature at the foot of a contract. The notary, the stamp, the certificate. Each one a small portable proxy for the bond of kinship we’d walked away from.
But look at what a seal actually did. A seal on a letter never told you the letter was true. It told you whose seal it was, which is to say it told you who to hold responsible if the letter turned out to be a lie. It was never a guarantee of honesty. It was a marker of accountability. It pointed at a person.
A code signature is the newest seal in that very old line, and it does the same single job. It does not tell you the software is safe. It was never built to. It tells you who signed it, which is to say who to come to when it isn’t. That’s the whole of it. The padlock in the browser, the green tick on the installer, the verified signature on a binary, none of them ever meant “this is good”. They meant “here is a name attached to this”.
The part you cannot sell
Which brings me to the uncomfortable bit, the one that points back at me as much as at Redmond.
If a signature is a name accepting responsibility, then the power to sign and the blame for what you sign are the same object. You don’t get one without the other. You cannot hold out the seal and quietly keep back the accountability behind it, because the accountability is the only thing the seal was ever made of.
That is exactly what came apart here. Microsoft holds enormous power as a signing authority, the power to make code look trustworthy to millions of machines. With that power comes the plain duty to check who you’re handing it to. They took the first part and skimped on the second. They sold the seal and skipped the diligence the seal is supposed to stand for, and the honest villain simply walked through the gap between the two.
And I have to hold myself to that very same rule, or I’ve no business naming it. I sign my own releases. Every go-tool-base release carries an OpenPGP signature over its checksums, made by a key that never leaves AWS KMS, with the public key published off-platform so the release host can’t quietly swap it. I do it so the people who use my tools, and they’re a varied bunch, can trust that what they’re running genuinely came from me.
But trusting me was never really the question. Here’s the one that keeps me up: what happens the day I’m the weak point? If a contributor slips something rotten into my code, or one of my own AI agents writes something it shouldn’t, and my automation dutifully signs it, then the signature does its job perfectly and the whole house of cards comes down. My users can trust me all they like. The seal will still say “Matt”, and it will be telling the truth, and that is precisely the problem.
So the accountability can’t be delegated, and I don’t try to. Nothing reaches my releasable branches without my own eyes on it first. No merge request, no commit, not from a contributor and not from one of my agents. The vigilance is mine, singularly, and that’s deliberate, because the blame is mine too, singularly, and they’re the same coin. It’s an easier thing to say as a one-man outfit than it’ll be if that ever changes. But the principle doesn’t get cheaper at scale. It just gets harder to honour, which is a very different thing from optional.
What standing behind it looks like
If you want to see the duty done properly, look at how OpenAI handled the Axios incident earlier this year. A poisoned dependency had got at the material used to sign their macOS app. They had every reason to believe their certificates were fine. They revoked them anyway, and rebuilt, because the cost of being wrong was their users’ machines and their own name on the door. That’s what holding the power looks like. You act on the possibility of compromise, not the proof of it, because by the time you’ve got proof it’s already on somebody’s laptop.
It’s also why I’ve come to treat trust as layers rather than a single tick in a box. The release signature is one layer. Notarisation is another: every macOS binary go-tool-base ships is notarised by Apple as well, and has been for a good while. There will be more, and the Rust side of my tooling has its own signing coming very soon. None of them is the answer on its own. Each one is just another check, another name standing behind the thing. And the part I care about most, as someone who builds tools other people build on, is handing that same machinery to them, so they can stand behind their own releases for their own customers instead of trusting that someone, somewhere up the chain, did the diligence.
Vigilance, still
I’d love to tell you there’s a clean technical fix on the way, a trust system the honest villain can’t game… There isn’t. We’ve tried plenty, and some have aged better than others. (I’m looking at you, blockchain, the confident answer to a question almost nobody was asking!) Whatever we build next, the same loop runs: the mechanism gets more elaborate, so the attacks on it get more insidious, so the mechanism gets more elaborate again. We have spent the whole of human history moving trust further and further from the blood bond that used to ground it, and every step we take away from a person who will answer for it, the honest villain takes right alongside us.
Maybe there’s a version of the future where this stops… some distant place where nobody needs to cheat because nobody wants for anything, and greed has quietly retired. I’m not holding my breath. Until then the job is the unglamorous one it has always been: stay vigilant, act before you’re certain, and keep trust as close as you can to a person who’ll stand behind it. Because that is the only thing a seal ever was. Not a promise that the thing is good. A name, and someone willing to answer to it.